firejail

Firejail is a SUID security sandbox program that reduces the risk of
security breaches by restricting the running environment of untrusted
applications using Linux namespaces. It allows a process and all its
descendants to have their own private view of the globally shared
kernel resources, such as the network stack, process table, mount
table.

Firejail can sandbox any type of processes: servers, graphical
applications, and even user login sessions. Written in C with
virtually no dependencies, it should work on any Linux computer with a
3.x kernel version.
